Patentable/Patents/11122060

11122060

Detection of Security Threats in a Mesh Network

PublishedSeptember 14, 2021

Assigneenot available in USPTO data we have

InventorsSourabh JANA Chirag Manojkumar KHARVAR Ravi SHEKHAR Ravi Kiran BAMIDI

Technical Abstract

Patent Claims

44 claims

Legal claims defining the scope of protection, as filed with the USPTO.

1. A method for detecting a security threat in a wireless mesh network, comprising: detecting, by a monitoring device in the wireless mesh network, a first message transmitted by a source node in the wireless mesh network to a destination node in the wireless mesh network via at least one relay node in the wireless mesh network and the monitoring device is separate from the destination node, wherein the monitoring device sniffs messages as they are being transmitted between the source node and destination mode in the wireless mesh network; collecting, by the monitoring device, information from the first message as it is transmitted in the wireless mesh network by directly collecting the information while listening to the first message as it is transmitted from the source node to the destination node over the wireless mesh network; determining, by the monitoring device, that the first message has been corrupted based on analysis of the information from the first message; and detecting, by the monitoring device, the security threat in the wireless mesh network based on the first message being corrupted.

2. The method of claim 1 , wherein the detecting the security threat comprises: identifying, by the monitoring device, the at least one relay node as the security threat in the wireless mesh network based on a determination that the first message has been corrupted by the at least one relay node.

3. The method of claim 2 , further comprising: notifying, by the monitoring device, a user of the wireless mesh network that the at least one relay node is the security threat.

4. The method of claim 2 , further comprising: notifying, by the monitoring device, a manufacturer of the at least one relay node that the at least one relay node is the security threat.

5. The method of claim 2 , further comprising: recording, by the monitoring device, information about the at least one relay node in response to the identifying.

6. The method of claim 5 , wherein the information comprises a make and model of the at least one relay node.

7. The method of claim 2 , further comprising: removing, by the monitoring device, the at least one relay node from the wireless mesh network.

8. The method of claim 7 , further comprising: initiating, by the monitoring device, a network key refresh procedure for all remaining nodes in the wireless mesh network.

9. The method of claim 7 , further comprising: instructing, by the monitoring device, all remaining nodes in the wireless mesh network to flush their local source and sequence number cache.

10. The method of claim 1 , wherein the information from the first message comprises an address of the source node, an address of the destination node, and a sequence number associated with the address of the source node.

11. The method of claim 10 , wherein the monitoring device determines that the first message has been corrupted based on the address of the destination node, the sequence number, or both, being changed as the first message is transmitted in the wireless mesh network.

12. The method of claim 11 , further comprising: identifying, by the monitoring device, the at least one relay node as the security threat in the wireless mesh network based on a determination that the at least one relay node changed the address of the destination node, the sequence number, or both.

13. The method of claim 1 , wherein the information from the first message comprises a time-to-live (TTL) field that is decremented by each relay node that relays the first message as it is transmitted in the wireless mesh network.

14. The method of claim 13 , wherein the monitoring device determines that the first message has been corrupted based on the TTL field being changed to 0 before it reached the destination node or to a value greater than a threshold indicative of a corrupted TTL field.

15. The method of claim 14 , further comprising: identifying, by the monitoring device, the at least one relay node as the security threat in the wireless mesh network based on a determination that the at least one relay node changed the TTL field to 0 before it reached the destination node or to the value greater than the threshold indicative of a corrupted TTL field.

16. The method of claim 1 , wherein the determining comprises: uploading, by the monitoring device, the information from the first message to a remote server, wherein the remote server performs the analysis of the information from the first message; and receiving, at the monitoring device, a notification from the remote server that the first message has been corrupted.

17. The method of claim 1 , wherein the monitoring device is a provisioner node in the wireless mesh network.

18. The method of claim 1 , wherein the monitoring device is not a provisioner node or controller node in the wireless mesh network.

19. The method of claim 1 , wherein the monitoring device is a stationary mains-powered device in the wireless mesh network.

20. The method of claim 1 , wherein the monitoring device is a battery-powered mobile device in the wireless mesh network.

21. The method of claim 1 , wherein the wireless mesh network comprises a Bluetooth® mesh network.

22. An apparatus for detecting a security threat in a wireless mesh network, comprising: at least one hardware processor of a monitoring device in the wireless mesh network configured to: detect a first message transmitted by a source node in the wireless mesh network to a destination node in the wireless mesh network via at least one relay node in the wireless mesh network and the monitoring device is separate from the destination node, wherein the monitoring device sniffs messages as they are being transmitted between the source node and destination mode in the wireless mesh network; collect information from the first message as it is transmitted in the wireless mesh network by directly collecting the information while listening to the first message as it is transmitted from the source node to the destination node over the wireless mesh network; determine that the first message has been corrupted based on analysis of the information from the first message; and detect the security threat in the wireless mesh network based on the first message being corrupted.

23. The apparatus of claim 22 , wherein the at least one processor being configured to detect the security threat comprises the at least one processor being configured to: identify the at least one relay node as the security threat in the wireless mesh network based on a determination that the first message has been corrupted by the at least one relay node.

24. The apparatus of claim 23 , wherein the at least one processor is further configured to: notify a user of the wireless mesh network that the at least one relay node is the security threat.

25. The apparatus of claim 23 , wherein the at least one processor is further configured to: notify a manufacturer of the at least one relay node that the at least one relay node is the security threat.

26. The apparatus of claim 23 , wherein the at least one processor is further configured to: record information about the at least one relay node in response to the identifying.

27. The apparatus of claim 26 , wherein the information comprises a make and model of the at least one relay node.

28. The apparatus of claim 23 , wherein the at least one processor is further configured to: remove the at least one relay node from the wireless mesh network.

29. The apparatus of claim 28 , wherein the at least one processor is further configured to: initiate a network key refresh procedure for all remaining nodes in the wireless mesh network.

30. The apparatus of claim 28 , wherein the at least one processor is further configured to: instruct all remaining nodes in the wireless mesh network to flush their local source and sequence number cache.

31. The apparatus of claim 22 , wherein the information from the first message comprises an address of the source node, an address of the destination node, and a sequence number associated with the address of the source node.

32. The apparatus of claim 31 , wherein the monitoring device determines that the first message has been corrupted based on the address of the destination node, the sequence number, or both, being changed as the first message is transmitted in the wireless mesh network.

33. The apparatus of claim 32 , wherein the at least one processor is further configured to: identify the at least one relay node as the security threat in the wireless mesh network based on a determination that the at least one relay node changed the address of the destination node, the sequence number, or both.

34. The apparatus of claim 22 , wherein the information from the first message comprises a time-to-live (TTL) field that is decremented by each relay node that relays the first message as it is transmitted in the wireless mesh network.

35. The apparatus of claim 34 , wherein the monitoring device determines that the first message has been corrupted based on the TTL field being changed to 0 before it reached the destination node or to a value greater than a threshold indicative of a corrupted TTL field.

36. The apparatus of claim 35 , wherein the at least one processor is further configured to: identify the at least one relay node as the security threat in the wireless mesh network based on a determination that the at least one relay node changed the TTL field to 0 before it reached the destination node or to the value greater than the threshold indicative of a corrupted TTL field.

37. The apparatus of claim 22 , wherein the at least one processor being configured to determine comprises the at least one processor being configured to: upload the information from the first message to a remote server, wherein the remote server performs the analysis of the information from the first message; and receive a notification from the remote server that the first message has been corrupted.

38. The apparatus of claim 22 , wherein the monitoring device is a provisioner node in the wireless mesh network.

39. The apparatus of claim 22 , wherein the monitoring device is not a provisioner node or controller node in the wireless mesh network.

40. The apparatus of claim 22 , wherein the monitoring device is a stationary mains-powered device in the wireless mesh network.

41. The apparatus of claim 22 , wherein the monitoring device is a battery-powered mobile device in the wireless mesh network.

42. The apparatus of claim 22 , wherein the wireless mesh network comprises a Bluetooth® mesh network.

43. A non-transitory computer-readable medium storing computer executable instructions when executed by a hardware processor for detecting a security threat in a wireless mesh network, the computer-executable instructions comprising: at least one instruction instructing a monitoring device in the wireless mesh network to detect a first message transmitted by a source node in the wireless mesh network to a destination node in the wireless mesh network via at least one relay node in the wireless mesh network and the monitoring device is separate from the destination node, wherein the monitoring device sniffs messages as they are being transmitted between the source node and destination mode in the wireless mesh network; at least one instruction instructing the monitoring device to collect information from the first message as it is transmitted in the wireless mesh network by directly collecting the information while listening to the first message as it is transmitted from the source node to the destination node over the wireless mesh network; at least one instruction instructing the monitoring device to determine that the first message has been corrupted based on analysis of the information from the first message; and at least one instruction instructing the monitoring device to detect the security threat in the wireless mesh network based on the first message being corrupted.

44. An apparatus for detecting a security threat in a wireless mesh network, comprising: means for processing of a monitoring device in the wireless mesh network configured to: detect a first message transmitted by a source node in the wireless mesh network to a destination node in the wireless mesh network via at least one relay node in the wireless mesh network and the monitoring device is separate from the destination device, wherein the monitoring device sniffs messages as they are being transmitted between the source node and destination mode in the wireless mesh network; collect information from the first message as it is transmitted in the wireless mesh network by directly collecting the information while listening to the first message as it is transmitted from the source device to the destination device over the wireless mesh network; determine that the first message has been corrupted based on analysis of the information from the first message; and detect the security threat in the wireless mesh network based on the first message being corrupted.

Patent Metadata

Filing Date

Unknown

Publication Date

September 14, 2021

Inventors

Sourabh JANA

Chirag Manojkumar KHARVAR

Ravi SHEKHAR

Ravi Kiran BAMIDI

Want to explore more patents?

Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.

Browse All Patents Try Prior Art Search